Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: proxyworker high CPU usage
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
proxyworker high CPU usage
Hi
to begin with - i am new to Fortigate :)
We have 90D in test lab with one laptop for now.
Firmware Versionv5.2.5,build701
WAN connection is 100mbps.
When downloading - one http session - big file 650MB tar.gz file CPU of our fortigate goes 95-99%.
diag sys top - show that it is proxyworker that consumes all of cpu
I use web filter default profile.
Is it normal that cpu is so high ?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dawid,
I remember that I had a similar error when I had upgraded to firmware 5.2.5.
Do you have policies using SSL Inspection Profile with Full SSL Inspection and inspecting all ports?
I could solve this issue changing my profile to:
Inspection Method: SSL certificate Inspection
These setting are located in Policy & Objects -> SSL Inspection.
I did not receive any errors and high CPU after doing this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
regardles what SSL Inspection Profile i use - certificate-inspection or deep-inspection - it is the same CPU effect 99%.
It does not affect CPU even i turn OFF SSL Inspection at all.
What doese make a difference is turning OFF web fitler.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Today i noticed that when i turn OFF all except Webfilter in Policy
and start to download 1,4GB TAR.GZ file - then CPU is 99%
but when i start to download 1,4GB text file = cpu is 5%
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have also the same problem.
proxyworker is crashed periodically. (cpu util is also almost 100%)
Did you solve the problem?
If so, Please let me know.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
we got exactly the same issue on our "old" 300C and 60C. After a lot of investigation with Fortinet technicians on site we discovered that the issue is linked to SSL deep inspection because some of the encryption/decryption algorithms for TLS 1.2 cannot be offloaded to the hardware (CP6 on the FGT300C). As most of the web sites is moving to more secure encryption (meaning longer keys) the old boxes are no more able to manage it on the CP and have to manage it via CPU.
You can look at the "top visited" sites and have a look at which algorith is negotiated. As an example one of our top-most site was "live.com" and here TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 is used but:
on the FG300C platform, AES256 can be offloaded, but the hash algorithm (SHA384) will be performed in CPU. on the FGT60C platform, there is no hardware acceleration modules, so AES256, SHA384 will be performed in CPU.
Bottom line: boxers with no hardware acceleration or with old CP processors are not able to use the hardware acceleration anymore with the new crypto keys. No way to resolve this except for disabling the SSL deep inspetion or moving to some "faster" box until fortinet will come up with new models able to manage the new encryption leves.
We got months to go till the end of this issue (and a lot of customer screams) so I hope this can be of help for you to save time and efforts...
Bye
Gianluca
FGT: 50E,100D, 200D, 600D
FMG: VM64
FAZ: VM64
FGT: 50E,100D, 200D, 600DFMG: VM64
FAZ: VM64
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have 310B device.
we tried to disable the SSL deep inspection but problem is not solved.
we also patched fortiOS5.2.6 to solve this problem but it was not solved.
proxyworker process is crashed periodically(3~4 times in an hour) and internet is stopped at that moment.
After a few seconds internet is reconnected normally. (it seems that crashed proxyworker process is relaunched automatically)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I checked our documentation. We had the exact same issue on our 300C using 5.2.5. This behaviour was recognized has a bug (proxyworker stucking cpu to 100% and continuosly restarting) and was fixed in 5.2.6. It's not related to ssl deep inspection (we had other issues with this...) so sorry for having you mis-headed. We solved the issue with the release of 5.2.6 (you also see some proxyworkes issue addressed in this release) so.. no idea why the upgrade didn't fixed it for you.
Bye
Gianluca
FGT: 50E,100D, 200D, 600D
FMG: VM64
FAZ: VM64
FGT: 50E,100D, 200D, 600DFMG: VM64
FAZ: VM64
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,697 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
209 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.